Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752180AbdHAQFq (ORCPT ); Tue, 1 Aug 2017 12:05:46 -0400 Received: from mail.ispras.ru ([83.149.199.45]:33944 "EHLO mail.ispras.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751817AbdHAQFn (ORCPT ); Tue, 1 Aug 2017 12:05:43 -0400 To: James Ban Cc: Liam Girdwood , Mark Brown , linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org From: Anton Vasilyev Subject: Buffer overread in pv88090-regulator.ko Message-ID: Date: Tue, 1 Aug 2017 19:05:41 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 981 Lines: 30 Hello. While searching for memory errors in Linux kernel I've come across drivers/regulator/pv88090-regulator.ko module. Buffer overread could occur at pv88090_i2c_probe(): If read from malicious device such values for conf2 and range (e.g. 0x10000000 and 0x1000 for PV88090_ID_BUCK2) that conf2 = (conf2 >> PV88090_BUCK_VDAC_RANGE_SHIFT) & PV88090_BUCK_VDAC_RANGE_MASK; and range = (range >> (PV88080_BUCK_VRANGE_GAIN_SHIFT + i - 1)) & PV88080_BUCK_VRANGE_GAIN_MASK; become 1 then index = ((range << 1) | conf2); become 3, but index is used for dereference pv88090_buck_vol[3]. Should be index=3 considered as incorrect value and pv88090_i2c_probe() must return error, or pv88090_buck_vol[] should be expanded? Found by Linux Driver Verification project (linuxtesting.org). -- Anton Vasilyev Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: vasilyev@ispras.ru